Your board's records, minutes, disclosures, and members' information are sensitive. We built NonprofitBOD to protect them with sensible, modern security practices. This page describes what we do today. We are an independent, early-stage product and are transparent about our posture rather than overstating it.
Data in transit
All traffic to NonprofitBOD is encrypted with HTTPS (TLS). We enforce HTTPS with HSTS so browsers refuse to connect insecurely.
Data at rest
Sensitive secrets, such as integration API keys and access tokens, are encrypted at rest using platform data-protection keys, not stored in plaintext. We never store your board members' passwords, because there are none (see below).
Passwordless authentication
Sign-in is passwordless: we email a secure, single-use, time-limited link. There is no password to guess, reuse, phish, or leak. Sign-in links and tokens are stored only as one-way hashes, and are consumed atomically so a link cannot be redeemed twice. Sessions use hardened cookies (HttpOnly, Secure, SameSite).
Access control and tenant isolation
Every board is isolated. A request only ever returns data for boards you belong to, and sensitive actions are additionally restricted by role (for example, only an Executive Director or Chair can manage members or settings). Programmatic access (our AI assistant integration) uses scoped, revocable tokens.
Application hardening
- A strict Content-Security-Policy plus security response headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy).
- Rate limiting on sign-in, invitations, and billing endpoints to resist abuse.
- PKCE on our OAuth authorization flow, single-use authorization codes, and refresh-token rotation.
- Uploaded images are validated by content, not just file extension, to prevent disguised-file attacks.
- Open-redirect protection on all post-sign-in redirects.
Payments
Payments are processed by Stripe, a PCI-certified provider. NonprofitBOD never sees or stores full card numbers.
Your data is yours
You own your board's data and can export a complete copy at any time from within the app. On account deletion, we delete or de-identify your data in line with our Privacy Policy.
Subprocessors
We rely on a small set of vetted service providers (for payments, email delivery, image hosting, optional AI features, and analytics). They are listed in our Privacy Policy.
Responsible disclosure
If you believe you have found a security issue, please email [email protected] with the details. We appreciate responsible disclosure and will work with you to resolve valid issues promptly. Please do not publicly disclose an issue before we have had a chance to address it.
On certifications
We do not yet hold formal certifications such as SOC 2. We would rather tell you plainly what we do than imply a certification we have not earned. As we grow, formal audits are on our roadmap; if your organization requires specific assurances, contact us at [email protected] and we will share what we can.
See also our Privacy Policy and Terms of Service.
